private data objects on smartcard

[Damien Goutte-Gattat]

Hi,

On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users wrote:
>How do you write to these objects? Can GnuPG do this? I didn´t found 
>any way with --card-edit or --card-status.

You can use the (undocumented) command "privatedo" from GnuPG's 
--card-edit menu. For example, to write into the private DO #1:

  $ gpg --card-edit
  gpg/card> privatedo 1
  Private DO data: [enter whatever value you want to store into the DO]

Or, to write the contents of a file into the private DO #2:

  $ gpg --card-edit
  gpg/card> privatedo 2 < [filename]


> And can GnuPG read these objects?

Yes. If a private DO contains a value, it will be listed in the output 
from the --card-status command.


>I read somewhere, the size of these objects is 2048 bytes each. How 
>many of these objects do exist on a smartcard?

First, note that private DOs are an optional feature of the OpenPGP 
smart card; not all implementations support them.

You can use the following command to check if an OpenPGP smart card 
supports private DOs:

  $ gpg-connect-agent 'SCD LEARN --force' /bye | grep EXTCAP
  S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1

Here, "pd=1" means the card does have private DOs. "pd=0" would indicate 
that private DOs are not supported.

When private DOs are supported, there are four of them. For cards 
compatible with versions 1.x or 2.x of the specification, they have a 
size of 254 bytes. For 3.x cards, the size of the private DOs is defined 
by the implementation (the OpenPGP smart card from FLOSS Shop [1] has 
indeed 2048-bytes private DOs).

Cheers,

- Damien


[1] 
https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=40
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200130/d6fc65cb/attachment.sig>